Public outcry in Mauritius as new social media proposal gives authorities access to private data

Authorities in Mauritius have made public a proposal to legalise eavesdropping on social media networks such as Facebook, Twitter and TikTok.

The move has sparked a public outcry in the country, and is seen by many citizens as the latest attempt by authorities to stifle freedom of expression.

Should the proposal progress to parliament and be amended into law, authorities could get access to sensitive data including usernames, passwords, credit card information as well as direct messages on Twitter and Instagram.

Authorities initially seemed to suggest that messaging apps with end-to-end encryption like WhatsApp would also be monitored but have since clarified that that would not be the case, blaming “fake news” for the confusion.

Authorities say the public should trust that they will only look at public information users have shared on social media, not private information.

Read More:

The proposal, purported to be about the regulation of social media, would give Mauritian authorities the power to block “offensive and abusive” content, and to refer IP addresses of certain users to the police.

People in Mauritius are wary that the move will give authorities undue power to snoop on their personal lives and censor content that is deemed to be critical of the authorities.

“You cannot screen everyone’s communications first and then determine what is private or public, or what is right or wrong second,” says Ish Sookun, an IT professional who is involved in policy discussions in Africa and the Indian Ocean region. “It is problematic; people have private lives.”

Ariel Saramandi, a freelance journalist whose online petition to reject the proposal accrued tens of thousands of votes in a matter of days, says the proposal would allow the authorities to wield immense power that they should not have. “Freedom of expression is one of the most important freedoms we purport to have in Mauritius. But this leaves the door open to agenda-setting by the authorities.”

The proposal is an escalation of an existing law which has led to the arrest of citizens for posting content that is deemed to cause “inconvenience”.

Last year, a 74-year-old man was arrested for sharing a doctored image of the Mauritian prime minister Pravind Jugnauth on Facebook. A former senior civil servant was also arrested and detained overnight for sharing a meme of Mr Jugnauth.

The 24-page long proposal describes the deployment of a technique known as a man-in-the-middle attack which is typically used by cyber attackers to secretly access online conversations. It has also been used by the government of Kazakhstan to intercept secure traffic from users in the country.

Authorities will install a local server which impersonates social media networks to fool devices and web browsers into sending secure information to the local server instead of directly to social media networks. Once intercepted by the local server, the information will be decrypted and copied, effectively creating an archive of the social media information of all users in Mauritius. The information will then be re-encrypted and redirected to the social media networks.

The proposal makes no mention of how long the information will be archived for. Nor does it mention any measures to protect the archived information from cybercriminals.

open image in gallery

According to Sookun, the local server will be susceptible to breaches.

“When data is decrypted, it becomes plain text. This is how people’s usernames, passwords and credit card information will be stored on the local server – as plain text. There is a higher risk of a data leak from the local server than from the servers of Big Tech companies like Facebook. A simple breach would be catastrophic.”

Users and companies based outside of Mauritius will also be concerned about the proposal. Information they share on social media with people in Mauritius could be caught in the net without their knowing, potentially breaching data protection regulations which protects the data of EU citizens.

“An EU citizen conversing on social media with someone in Mauritius will have their data decrypted,” affirms Sookun. “It will be a breach of GDPR.”

But the proposal could yet be stopped in its tracks. Authorities are soliciting comments about the proposal and a number of Mauritians have organised on social media to encourage them to send feedback and sign petitions like Saramandi’s.

People outside of Mauritius are also voicing their disapproval in the online petition. Award-winning American author, Alexander Chee, signed the petition and says that the proposal is “an appalling abuse of power”.

But whether strong local and international opposition will dissuade the government from taking the proposal any further remains to be seen.